Estimated reading time: 12 minute(s)
According to reports, the malware is called BXAQ and when installed on your phone it will go ahead and download text messages, calendar entries, and phone logs; also scans your device while going through over 70,000 different files.
A joint report coming from the collaboration of Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR has found that foreigners on the Chinese border crossing into the Xinjiang region are being forced by authorities to install the piece of malware on their phones. The app gives all of their text messages as well as other pieces of data to the Chinese authorities.
The Android malware is installed by a border guard who will physically seize the phone, scan the tourist or traveller’s device for a specific set of files.
Reports have it that the files authorities are looking for include Islamic extremist content, islamic material like the Quran, academic books on Islam by leading researchers like PDFs related to the Dalai Lama and a music file from Japanese metal band Unholy Grave (the band has a song called “Taiwan: Another China.”)
One tourist who crossed the border and had the malware installed on their device provided a copy to Süddeutsche Zeitung and Motherboard. A member of the reporting team from Süddeutsche Zeitung then also crossed the border and had the same malware installed on their own phone.
Motherboard mad the app available by uploading a copy of the Android app to the GitHub account here. You can download the Android file here.
Crossing through into the border now takes longer because the process of getting through several stages of scrutiny and security takes around half a day, one of the travelers said.
Once installed on an Android phone, by “side-loading” its installation and requesting certain permissions rather than downloading it from the Google Play Store, BXAQ collects all of the phone’s calendar entries, phone contacts, call logs, and text messages and uploads them to a server, according to expert analysis. The malware also scans the phone to see which apps are installed, and extracts the subject’s usernames for some installed apps.
The app does not try to hide itself. Instead, it displays an icon on the device’s app select screen, suggesting that it is designed to be removed from the phone after use by the authorities.
Included in the app’s code are hashes for over 73,000 different files the malware scans for.
Ordinarily, it is difficult to determine what specific files these hashes relate to, but the reporting team and researchers managed to uncover the inputs of around 1,300 of them. This was done by searching for connected files on the file search engine Virus Total.
Citizen Lab identified the hashes in the VirusTotal database, and researchers from the Bochum team later downloaded some of the files from VirusTotal. The reporting team also found other copies online, and verified what sort of material the app was scanning for.
One of the files being scanned for is “The Syrian Jihad”, a book written by Charles Lister, a leading terrorism scholar and senior fellow and director of the Countering Terrorism and Extremism program at the Middle East Institute.
Lister wrote in an email.
“This is news to me!”
“I’ve never had any criticism for the book—in fact, in all honesty, the opposite.”
“Instead, I suspect China’s authorities would find anything with the word ‘jihad’ in the title to be potentially suspicious,” he added. “The book covers, albeit minimally, the role of the Turkistan Islamic Party in Syria, which may also be a point of sensitivity for Beijing. I’ve met with and engaged with Chinese officials to brief them on these issues, so I’m not aware of any problem Beijing would have with me.”
The app is an improved version of another similar app Motherboard previously covered called JingWang.
JingWang is a piece of malware installed on devices in the Xinjiang region of China. Authorities typically installed JingWang on phones belonging to the Muslim Uighur population, and the app also scanned a phone for a similar particular set of files.
According to expert analysis, the list of hunted files in BXAQ overlaps somewhat, but not entirely, with those that JingWang searches for, but BXAQ goes further.
Chinese authorities did not respond to a request for comment concerning the issue. Neither did Ninjing FiberHome StarrySky Communication Development Company Ltd, the partly state-owned company that developed the app.
“There is an increasing trend around the world to treat borders as law-free zones where authorities have the right to carry out whatever outrageous form of surveillance they want,” Omanovic said.